On the Mechanization of the Proof of
Hessenberg’s Theorem
Marc Bezem1 and Dimitri Hendriks2
1
Department of Computer Science, University of Bergen
P.O. Box 7800, N-5020 Bergen, Norway
[email protected]
2
Department of Computer Science, Vrije Universiteit Amsterdam
De Boelelaan 1081a, NL-1081 HV Amsterdam, The Netherlands
[email protected]
Abstract. Hessenberg’s Theorem (1905) states that in projective plane
geometry Pappus’ Axiom implies Desargues’ Axiom. Besides being a
beautiful theorem, it has an interesting history in that the proof contained a gap for almost 50 years. This makes it worthwhile to formalize
the proof by Cronheim (1953), which was claimed to be (and indeed is)
complete. The formalization has been carried out in a fragment of firstorder logic called coherent logic, with a particularly simple tableaux-like
proof procedure. The main novelty here is the use of a tool which has
been able to generate large parts of the proof, in particular taking care
of the large number of degenerate cases. Our proof is intuitionistic, the
Law of Excluded Middle has not been used. All proofs have been independently verified in Coq.
1
Introduction to Projective Plane Geometry
As perceived by the human eye, the two parallel tracks of a railroad seem to meet
each other at the horizon. This phenomenon is commonly called perspectivity
and is caused by the fact that our visual system works through projection on
the retina. Projective geometry tries to capture this phenomenon (and many
others!) by extending the ordinary x, y-plane in the following way.
1. For each direction in the plane an ideal point is added serving as the point
where all parallel lines of that direction meet.
2. To comply with the axiom that any two points are on a line an ideal line is
added through all the ideal points.
Ideal points are also called points at infinity and likewise the ideal line is called
the line at infinity. In order to fully comply with the axiom that any two points
are on a line, we take the line through a normal point and an ideal point to be
the line through the normal point in the direction corresponding to the ideal
point. Observe that we now also have achieved that every two lines intersect,
including parallel ones and a normal and the ideal line.
The above construction may be visualized as follows. Consider the unit sphere
x2 + y 2 + z 2 = 1 and the (tangent) plane z = 1. Through projection from the
origin, the points in this plane are in one-to-one correspondence with pairs of
antipodal points on the unit sphere. From the latter we must of course exclude
the pairs with z = 0. These pairs are a natural choice for points at infinity,
since parallel lines in the plane z = 1 are projected onto great circles on the unit
sphere and the pair of antipodal points with z = 0 depends only on the direction.
(A great circle on a sphere is the intersection of the sphere with a plane through
the center of the sphere. Two parallel lines in z = 1 define two planes through
the origin which intersect in a third parallel line in z = 0.) The great circle with
z = 0 on the unit sphere finally forms a natural choice for the line at infinity.
The above model, where the ‘lines’ are great circles on the unit sphere and
the ‘points’ are pairs of antipodal points on the same sphere, may be considered
as the standard model of the real projective plane. There are many other projective planes, not necessarily based on the real numbers, even finite ones. In this
paper we take the axiomatic approach, where we postulate a number of essential
properties shared by all structures that one would like to call ‘projective planes’.
These may or may not satisfy additional properties, such as those of Pappus and
Desargues, whose interrelation we study.
A beautiful principle in projective geometry is that of duality. Duality in a
projective plane P means that we can interchange the rôles of points and lines
while keeping the incidences. In this way one obtains another projective plane,
namely the dual plane P d . In any statement about incidences which is valid
in P, the words point and line can be systematically interchanged to obtain
a dual statement, which is valid in P d .3 The duality principle follows from the
observation that the axioms either are self-dual (i.e., they imply their own duals),
or their duals are themselves listed as axioms. If a statement is valid in all
projective planes, then its dual is also valid in all projective planes. Duality is
also visible in the standard model:
a point is a pair of antipodal points with all great circles through them,
a line is a great circle with all pairs of antipodal points on it.
In the next section we identify a fragment of first-order logic in which reasoning is easy and which at the same time is expressive enough to formulate
projective geometry.
2
Coherent Logic
As far as we know, Skolem [9] was the first who used coherent logic (avant la
lettre) to solve a decision problem in lattice theory and to prove the independence
of Desargues’ Axiom from the basic axioms of projective plane geometry. Modern
coherent logic arose in algebraic geometry, see for example [7, Sect. D.1.1]. In this
3
Duality carries over to derived concepts such as connecting line, collinear and intersection, concurrent, respectively, to be introduced later.
paper we define coherent logic (abbreviated by CL) as the fragment of first-order
logic consisting of implicitly universally quantified implications of the following
form:
A1 ∧ · · · ∧ An → ∃x1 . C1 ∨ · · · ∨ ∃xm . Cm
where the Ai are first-order atoms and the Cj are conjunctions of such atoms.
We use some obvious notational optimizations to improve readability: if n = 0,
then we may leave out → altogether; if m = 0, then we may write ⊥ (falsum)
to denote an empty disjunction; empty existential quantifications are left out.
Closed atoms, that is, atoms without free variables, are also called facts.
CL has a tableaux-like proof theory which is based on using the formulas
above as production rules (Skolem: Erzeugungsprinzipien) to generate new facts
from already known ones, distinguishing cases for each disjunct in the conclusion. Existential quantifiers are eliminated by introducing witnesses. A further
explanation of this reasoning mechanism can be found in Section 4. The proof
theory is complete and reasoning in CL is constructive in the sense of intuitionistic logic. Based on a simple translation to natural deduction, proofs can be
verified directly in the logical framework Coq [10]. All this has been described
in [1,2].
In the next section we work towards a machine-oriented axiomatization of
projective plane geometry and point out some subtleties w.r.t. the formulation. The complete proof of Hessenberg’s Theorem, assembled from three large
machine-generated subproofs, is described in Section 5 in a way which is still
readable for humans. All files can be found on [3, see readme].
3
3.1
Axiomatic Projective Plane Geometry
Axioms for humans
A projective plane is two-sorted: there are points and lines and there is one
primitive relation between these, the incidence relation. Let uppercase letters
range over points, and lowercase letters over lines. If point P and line l are
incident, notation P | l, we say that ‘P lies on l’ and that ‘l passes through P ’. A
point lying on two lines l and m is called their intersection, and is written (lm).
Dually, a line passing through two points P and Q is called their connecting line,
and is written (P Q). A set of points is said to be collinear if there exists a line
incident with all points in the set. Dually, a set of lines is said to be concurrent
if there exists a point incident with all lines in the set.
The axioms of projective geometry are as follows.
Axiom 1 Any two points are incident with a line.
Dually, we postulate:
Axiom 2 Any two lines are incident with a point.
The following self-dual axiom guarantees that (P Q) and (lm) are uniquely determined for distinct P, Q and l, m, respectively.
Axiom 3 Two distinct points cannot both be incident with two distinct lines.
There are some subtle differences with other, perhaps more familiar, formulations; we discuss the correspondence with two of the axioms given in [4, p. 13]:
Any two distinct points (lines) are incident with just one line (point).
It is not hard to see that these statements are implied by Axioms 1–3. For the
reverse implication, we need the existence of two distinct points, which follows
from other axioms listed in [4].
We now present Pappus’ Axiom4 ; see Figure 1. Coxeter [4] states Pappus’
Axiom as follows:
If alternate vertices of a hexagon lie on two lines, the three pairs of
opposite sides meet in three collinear points.
Thus, given a hexagon P Q0 RP 0 QR0 , where the points P, Q, R are on one line
and points P 0 , Q0 , R0 are on another line, the pairwise intersections
S ≡ ((P Q0 )(QP 0 ))
T ≡ ((RP 0 )(P R0 ))
U ≡ ((QR0 )(RQ0 ))
lie on the so-called Pappus line, the dashed line in Figure 1. Following [4], a
P
Q
R
S
P0
T
Q0
U
R0
Fig. 1. Pappus’ Axiom
Pappus configuration is conveniently given by a 3 × 3 matrix (Pij ). The intersection of (P1i P2j ) and (P2i P1j ) is then P3k , for all different i, j, k. (This can be
visualized by striking out the rows and columns in which P1i , P2j occur.) For
example, the matrix in Figure 1 reads:


P Q R
 P 0 Q0 R0  .
U T S
4
Pappus’ Axiom is often referred to as Pappus’ Theorem, because it is true in, for example, the real projective plane. Pappus’ Axiom is, however, not true in all projective
planes.
In order to exclude some degenerate cases in which the intersections S, T, U
are indeterminate and possibly not collinear, Pappus’ Axiom requires some sideconditions, of which several alternative formulations (often not explicitly stated)
can be found in the literature. We discuss some of these formulations and show
how they relate to our formulation.
A. In the formulation of [4], we believe these side-conditions are present in the
use of the word ‘hexagon’. The hexagon is assumed to be non-degenerate,
i.e., its sides are pairwise distinct.
B. A close reading of [5] reveals the assumption of six distinct points, three on
one line and three on a distinct line.
C. Another variation is to require that none of P, Q, R is incident with the line
that joins P 0 , Q0 , R0 , and vice versa.
D. We choose yet another formulation, which ensures determinacy of the intersections S, T, U by requiring the lines that should determine these intersections to be distinct.
It is easily seen that both A and B imply D. As for C, we formally verified
the logical equivalence of the version of Pappus’ Axiom with side-conditions C
and the one with side-conditions D. The simple fact that C is expressed by a
conjunction of length 6, whereas D by one of length 3, seems to lengthen the
proof search to such an extent that we prefer the latter:
Axiom 4 (Pappus) For collinear P, Q, R and collinear P 0 , Q0 , R0 , the intersections ((QR0 )(RQ0 )), ((RP 0 )(P R0 )), and ((P Q0 )(QP 0 )) are collinear if they are
determinate.
As first observed by Hessenberg [6], Axioms 1–4 imply Desargues’ Axiom,
stated as follows:
Axiom 5 (Desargues) Two triangles perspective from a point are perspective
from a line (under suitable side conditions).
Two triangles A1 A2 A3 and B1 B2 B3 are said to be perspective from a point S
if the three lines joining corresponding vertices meet in S. Dually, two triangles
are said to be perspective from a line l if the three intersections of corresponding
edges are joined by l. S and l are called the perspectivity point and perspectivity
line, respectively. An example Desargues configuration is depicted in Figure 2.
In the next subsection we present the ‘machine’ version of Axioms 1–4. This
‘mechanization’ involves the unfolding of defined notions such as ‘collinear’, ‘determinate’ and ‘perspective’, in terms of the primitive incidence relation. Also,
some formulas have to be replaced by (obvious) equivalents in order to comply
with the CL-format as defined in the introduction.
3.2
Axioms for machines
Plane geometry with its points and lines is most naturally formalized as a twosorted theory. There is no principal difficulty in generalizing CL to many-sorted
S
A1
B1
B3
P2
P3
B2
A3
A2
P1
Fig. 2. Example of a Desargues configuration. In space, with the triangles
A1 A2 A3 and B1 B2 B3 in different planes, the perspectivity line is the intersection of these two planes. This gives an easy proof for the two-dimensional
case as well, essentially using the third dimension.
coherent logic. However, the current implementation supports only one sort.
Therefore we have formalized plane geometry as a one-sorted theory (as done
in, e.g., [4]).
There exists a standard reduction of many-sorted logic to one-sorted. For
every sort s one introduces a unary predicate s(x) whose purpose is to express
that x is of sort s. Quantifications with respect to sort s are then relativized.
This means that everywhere ∀s x. φ becomes ∀x. (s(x) → φ) and ∃s x. φ becomes
∃x. (s(x) ∧ φ). The equality predicates for the various sorts are all replaced by
one-sorted equality =. Note that relativization essentially preserves the coherent
format. In this way any many-sorted (coherent) formula φ can be translated
into a one-sorted (coherent) formula φ0 . We then have the following well-known
result:
|=m φ iff ∆ |= φ0
(∗)
Here |=m expresses truth in all many-sorted models and ∆ contains some axioms
related to the translation 0 . It is standard to let ∆ consist of axioms ∃x. s(x) for
all sorts s. These axioms are necessary, since domains in first-order logic are
non-empty, and they are also sufficient for obtaining the equivalence (∗). It is
less well-known that one may actually add several other axioms to ∆ and still
get equivalence. Of course the idea is not so much to complicate ∆ unnecessarily,
but to take advantage of the extra axioms in simplifying φ0 . We elaborate this
in the next paragraphs.
In order to simplify things we restrict attention to the case of plane geometry
with sort p for points and l for lines. Besides those two sorts the signature
contains | expressing incidence of a point with a line (incidence is not and cannot
be a symmetric relation in the many-sorted approach). The one-sorted signature
would then consist of two extra unary predicates p(x) and l(y) besides x | y
expressing that ‘object’ x lies on ‘object’ y. Here the intended meaning of ‘object’
is point for x and line for y, but these meanings are not imposed by one-sorted |
but by neighbouring atoms p(x) and l(y) coming from the relativized quantifiers.
A more informative | is desirable. The axiom we would like to add to the
standard ∆ is x | y → p(x) ∧ l(y). Why would such an extension be allowed?
In order to see this we must enter the standard argument for the equivalence
(∗), in particular from right to left as strengthening ∆ amounts to weakening
the right-hand side. This argument is based on transforming any many-sorted
model into a one-sorted model of ∆ in the following way. Let the one-sorted
domain be the union of the domains of the many-sorted model. Interpret the
unary predictes p(x) and l(y) as the subsets of points and of lines, respectively,
of this union. Interpret x | y by the set of pairs of points and lines that are
incident in the many-sorted model. The standard argument now proceeds by
proving by formula induction that any φ is true in the many-sorted model if and
only if φ is true in the corresponding one-sorted model of ∆. This argument can
still be used. The only extra observation we make is that the one-sorted model
also validates the axiom x | y → p(x) ∧ l(y) added above. This completes the
justification of the extension of ∆.
Thus we add x | y → p(x) ∧ l(y) to the standard axioms:
∆ = {∃x. p(x), ∃x. l(x), (x | y → p(x) ∧ l(y))}
What then are the benefits of this extension? In order to answer this question
we observe that p(x) ∧ φ ∧ x | y can be simplified to φ ∧ x | y and l(y) ∧ φ ∧ x | y
to φ ∧ x | y. This allows us to economize 1, 1, 4 and 18(!) p- and l-atoms in the
respective axioms below.
Axiom 6
p(x) ∧ p(y) → ∃u. (x | u ∧ y | u)
Axiom 7
l(u) ∧ l(v) → ∃x. (x | u ∧ x | v)
Axiom 8
x|u∧x|v∧y|u∧y|v →x=y∨u=v
Axiom 9
x1 | u ∧ x2 | u ∧ x3 | u ∧ y1 | v ∧ y2 | v ∧ y3 | v
∧ x1 | l1 ∧ y2 | l1 ∧ p | l1 ∧ x2 | l2 ∧ y1 | l2 ∧ p | l2
∧ x1 | m1 ∧ y3 | m1 ∧ q | m1 ∧ x3 | m2 ∧ y1 | m2 ∧ q | m2
∧ x2 | n1 ∧ y3 | n1 ∧ r | n1 ∧ x3 | n2 ∧ y2 | n2 ∧ r | n2
→ l1 = l2 ∨ m1 = m2 ∨ n1 = n2 ∨ ∃w. (p | w ∧ q | w ∧ r | w)
These axioms in CL format correspond to Axioms 1–4 in the previous section. Some remarks on logical equivalence are in order here. Note the positive formulation of Axiom 8. In Axiom 9, collinearity of x1 , x2 , x3 , that is,
∃u. (x1 | u ∧ x2 | u ∧ x3 | u), has been reformulated using the logical equivalence of (∃u. φ(u)) → ψ and ∀u. (φ(u) → ψ) (u not free in ψ). Likewise for the
collinearity of y1 , y2 , y3 . The condition enforcing the intersections p, q, r to be
determinate, that is, l1 6= l2 , m1 6= m2 and n1 6= n2 , has been moved to the
conclusion using the logical equivalence of (¬φ ∧ ψ) → ζ and ψ → (φ ∨ ζ).
The final step is the mechanization of Desargues’ Axiom 5. As this axiom is
to be proved as a theorem, we may assume two triangles that are perspective
from a point, satisfying certain side conditions. We then have to prove that there
exists a perspectivity line. The logical structure of this is extremely simple: a
long list of facts (= closed atoms) and negated facts. Finally, the formula to be
proven is:
∃l. (p1 | l ∧ p2 | l ∧ p3 | l).
This is completely unproblematic from the point of view of CL, but geometrically
the situation, in particular with respect to the side conditions, is so complicated
that we prefer to explain this in a separate subsection.
3.3
Desargues configurations
Definition 1. A Desargues configuration D is a sequence of points S, A1 , A2 ,
A3 , B1 , B2 , B3 , P1 , P2 , P3 such that A1 , A2 , A3 are distinct, B1 , B2 , B3 are distinct, S, Ai , Bi are collinear for i = 1, 2, 3 and (Aj Ak ) and (Bj Bk ) are distinct
lines meeting in Pi , for all rotations (i, j, k) of (1, 2, 3).
Observe the following permutation invariance: if we have a Desargues configuration as above, then also S, Ai , Aj , Ak , Bi , Bj , Bk , Pi , Pj , Pk is a Desargues
configuration, for any permutation (i, j, k) of (1, 2, 3) (but only rotations will be
used). For the purpose of convenient reference, we fix the names of these points,
and we let D(x, y, z) denote the configuration obtained from permuting (1, 2, 3)
into (x, y, z). In particular we have D = D(1, 2, 3).
Having an automated reasoning tool makes it attractive to experiment with
different sets of side conditions. Cronheim’s starting point for proving Desargues
is a configuration consisting of seven distinct points (non-collinear A1 , A2 , A3
and non-collinear B1 , B2 , B3 , and a point S) and three distinct lines (Ai Bi )
which meet in S, the perspectivity point. Note that we have allowed A1 , A2 , A3
and/or B1 , B2 , B3 to be collinear but require that corresponding ‘edges of the
triangles’ are distinct.
Our set of conditions in Definition 1 is easily seen to follow from Cronheim’s.
Assume for example (A2 A3 ) = (B2 B3 ). Then the points A2 and B2 lie on both
(A2 B2 ) and (A2 A3 ) = (B2 B3 ). Hence by projective unicity (Axiom 3) the points
A2 and B2 are equal or we have (A2 B2 ) = (A2 A3 ). Similarly, A3 and B3 are
equal or (A3 B3 ) = (A2 A3 ). In all cases we violate Cronheim’s conditions.
For instance, the configurations in Figures 3–5, satisfy our conditions but
not Cronheim’s. Nevertheless, there is a perspectivity line. It turned out that
S,A1
A2
A3
P3
B1
B3 ,P2
S,A1 ,B3 ,P2
S
A3
A1
A2
P2
B1
B2 ,P3
Fig. 3. A1 = S; lines
(A2 A3 ) and (B2 B3 ) =
(P3 P2 ) meet in P1 at infinity.
B3
B2
Fig. 4. A degenerate
triangle A1 A2 A3 , where
(A2 A3 ) and (B2 B3 )
meet in P1 at infinity.
A3
A2 ,B2 ,P1 ,P3
B1
Fig. 5.
Another degenerate case, where
(A1 A2 ) and (B2 B3 ) are
equal.
the weaker conditions as formulated in Definition 1 were sufficient for the proof.
It is very well possible that the proof can be carried out under even weaker
conditions. We have not analyzed this any further. As a historical note we mention that leaving out the condition that A1 , A2 , A3 are distinct and B1 , B2 , B3
are distinct, such as done in [9, p. 129], leads to an axiom which implies that any
three points are collinear. This actually provides an interesting example which
is given in full detail in the appendix.
Desargues’ Axiom for humans can now be formulated as follows.
Axiom 10 (Desargues) For any Desargues configuration D such as in Definition 1, there exists a perspectivity line joining P1 , P2 and P3 .
Hessenberg’s Theorem for humans states that Axioms 1–4 imply Axiom 10.
For machines it reads:
Theorem 11 (Hessenberg). In the theory consisting of Axioms 6–9, ∆ and
equality axioms as usual, one can prove:
A1 | l1 ∧ B1 | l1 ∧ S | l1 ∧ A2 | l2 ∧ B2 | l2 ∧ S | l2 ∧ A3 | l3 ∧ B3 | l3 ∧ S | l3
∧ A2 | a1 ∧ A3 | a1 ∧ P1 | a1 ∧ A3 | a2 ∧ A1 | a2 ∧ P2 | a2
∧ A1 | a3 ∧ A2 | a3 ∧ P3 | a3 ∧ B2 | b1 ∧ B3 | b1 ∧ P1 | b1
∧ B3 | b2 ∧ B1 | b2 ∧ P2 | b2 ∧ B1 | b3 ∧ B2 | b3 ∧ P3 | b3
→ A1 = A2 ∨ A2 = A3 ∨ A3 = A1 ∨ B1 = B2 ∨ B2 = B3 ∨ B3 = B1
∨ a1 = b1 ∨ a2 = b2 ∨ a3 = b3 ∨ ∃l. (P1 | l ∧ P2 | l ∧ P3 | l)
4
The Reasoning Mechanism
This section describes how the reasoning mechanism of CL works. Abstractly,
this is by forward ground reasoning with case distinction to deal with disjunctions
and introduction of new constants to deal with existential quantification.
As an example we prove that any projective plane with at least four points
has at least three collinear points. Informally, the proof proceeds as follows.
Consider the intersection Q of the line joining two points with the line joining
two other points. If Q is different from the initial four points then both lines have
at least three points. Otherwise, if Q is equal to one of the initial four points,
say, the first, then the line through the third and the fourth point has at least
three points on it.
For a formal proof in CL, consider the theory consisting of Axioms 6,7, ∆
and equality axioms. Assume constants Pi and facts axiomatizing them as four
different points: p(Pi ) and Pi 6= Pj (1 ≤ i < j ≤ 4), which together form the
(initial) reasoning state. The goal is to prove:
∃u x y z. (x | u ∧ y | u ∧ z | u ∧ x 6= y ∧ y 6= z ∧ x 6= z)
For this goal to be a CL formula, x 6= y must be an atomic formula and cannot
be taken as shorthand for x = y → ⊥. This means that we have to define 6= as
the complement of =, which is done by extending the theory with the following
two CL axioms:
x = y ∨ x 6= y
x = y ∧ x 6= y → ⊥
In the remainder of this section we reason in the extended theory.
Given a reasoning state, a reasoning step consists in, first, picking a closed
instance C → D of an axiom which is invalid in the state. This means that the
antecedent C is true in the state, but the consequent D is not. More precisely,
this means that all facts in C occur in the state, but for no disjunct ∃x. Cj
of D there exist witnesses w such that Cj [x:=w] is true in the state. What
happens then depends on the form of the conclusion D. If D is a disjunction
of length zero, that is, D = ⊥, then we are done and any conclusion is valid.
If D is a disjunction of length one without existential quantifiers, then D is a
conjunction of facts and we simply add these facts to the state and continue. If
D is a disjunction of length one with existential quantifiers we introduce new
constants as witnesses and instantiate D with these constants, add the facts to
the state and continue. The state is also understood to be extended by the new
constants which may from now on be used in creating new closed instances of
axioms.
Let us illustrate the mechanism described so far by elaborating the example.
In the initial state above we have the facts p(P1 ) and p(P2 ). The instance p(P1 )∧
p(P2 ) → ∃u. (P1 | u ∧ P2 | u) of Axiom 6 is invalid since there is no line in the
initial state joining P1 and P2 . Applying this axiom ‘remedies’ this situation:
we add a constant l12 and facts P1 | l12 and P2 | l12 to the state. Note that the
name ‘l12 ’ is irrelevant as long as it is new. Applying the same axiom, but now
instantiated with P3 and P4 , leads to the further extension of the state with a
constant l34 and facts P3 |l34 and P4 |l34 . The instances P1 |l12 → p(P1 )∧l(l12 ) and
P3 | l34 → p(P3 ) ∧ l(l34 ) of the axiom x | y → p(x) ∧ l(y) from ∆ are invalid, so we
add the facts l(l12 ) and l(l34 ) to the state. (The facts p(P1 ) and p(P3 ) are already
present.) Next, we consider the instance l(l12 ) ∧ l(l34 ) → ∃x. (x | l12 ∧ x | l34 ) of
Axiom 7. This instance is invalid: in the current state there exists no intersection
of l12 and l34 . Therefore we introduce a constant Q and add the facts Q | l12 and
Q | l34 to the state. In a similar way as above the fact p(Q) is added. Summing
up, the reasoning state now extends the initial state with constants l12 , l34 , Q
and facts l(l12 ), l(l34 ), P1 | l12 , P2 | l12 , P3 | l34 , P4 | l34 , p(Q), Q | l12 , Q | l34 .
We continue the description of the reasoning mechanism. If D is a disjunction of length greater than one, then the reasoning mechanism distinguishes as
many cases as there are disjuncts in the disjunction. These cases are treated as
disjunctions of length one as described above. In all these cases the goal has to
be proven.
Let us continue the example with a disjunction of length two. In the state
we reached above the instance Q = P1 ∨ Q 6= P1 is invalid. Hence we distinguish
two cases:
Q = P1 We add this fact to the state and infer P1 | l34 from Q | l34 . Now that we
have the facts P1 | l34 , P3 | l34 , P4 | l34 , P1 6= P3 , P3 6= P4 , P1 6= P4 , the goal
holds by taking l34 , P1 , P3 , P4 for u, x, y, z, respectively.
Q 6= P1 We add this fact to the state and apply the invalid instance Q = P2 ∨Q 6=
P2 , which gives rise to two subcases:
Q = P2 This subcase is dealt with analogously to the case Q = P1 .
Q 6= P2 We add this fact to the state and have facts Q 6= P1 , P1 6= P2 , Q 6=
P2 , Q | l12 , P1 | l12 , P2 | l12 so that again the goal holds.
In the above argument almost all steps have been made explicit. We hope
to have convinced the reader of the usefulness of computer support. We have
implemented the CL proof procedure in Prolog, see [3, GL.pl]. The implementation generates Coq proof objects. The machine has the additional problem that
it doesn’t know which axiom to apply. The example above can easily be done
by brute force. Although in theory the proof of Hessenberg’s Theorem can also
be found by brute force, in practice one has to specify some ‘stepping stones’.
About one percent of the total number of reasoning steps had to be specified
before the system was able to find the proof.
5
The Complete Proof by Cronheim
Cronheim’s proof [5] of Hessenberg’s Theorem is three pages long and has a
remarkable level of detail. As can be guessed from the length of the machine
proof (thousands of steps), there are nevertheless quite a few details left out,
something which greatly improves the readability. In some cases, notably Hessenberg’s original argument, leaving out ‘details’ leads to incomplete or wrong
proofs. In some rare cases this may even lead to erroneous theorems.
In a formalization these details must all be taken care of, which is time
consuming and boring. It is here that we think that tools like the one described
in this paper have something to offer. The program turned out to be able to
deal with all the details left out by Cronheim. Moreover, we were able to leave
out many of the details that Cronheim deemed worth a few lines, mainly the
justifications of application of Pappus’ Axiom.
Thus the proof scripts are considerably shorter than the original text. The
ratio between the proof script describing (or rather generating) the formal proof
and the original text in informal mathematics is usually called the De Bruijnfactor (after N.G. de Bruijn, see [8]). In the early days of formalization the De
Bruijn-factor was around 10. Nowadays, it is around 4. Here it is in total around
1, and considerably smaller for some parts of the proof.
We give a high-level exhibition of the machine proof that we have constructed
in the proof assistant Coq with the help of a reasoning tool based on CL. The
proof closely follows Cronheim’s proof. Minor modifications will be justified on
the fly.
Cronheim distinguishes two cases: the general case which is caught by Hessenberg’s original argument, and a special case which was overseen for fifty
years. The case distinction can be phrased as: either φ or ¬φ, where φ abbreviates: “there exists a permutation (i, j, k) such that non(Ai , Bj , Bk ) and
non(Bk , Ai , Aj )”.5 We reformulate ¬φ into CL by φ0 :
for all rotations (i, j, k) of (1, 2, 3), Ai | (Bj Bk ) or Bk | (Ai Aj )
(φ0 )
The switch from ‘permutation’ to ‘rotation’ will be justified in Subsection 5.2.
Observe that φ0 amounts to 23 cases. In Subsection 5.2, still following Cronheim, it is shown that these can be reduced to 2 cases (Lemma 2): one triangle
circumscribes the other, a notion defined as follows.
Definition 2. Triangle A1 A2 A3 circumscribes triangle B1 B2 B3 if for all rotations (i, j, k) of (1, 2, 3) we have Bi | (Aj Ak ).
The existence of a perspectivity line in this special setting is proved in Subsection 5.3 (Lemma 3). First, in Subsection 5.1, we treat the ¬φ0 -case as proved
by Hessenberg’s original argument (Lemma 1). Finally, in Subsection 5.4 we
assemble these results to prove the main theorem (Theorem 11).
For the CL tool to construct the formal proof of Lemmas 1, 2, and 3, only the
essential steps had to be specified, namely the construction of the intersection
of two given lines, the construction of a line through two given points and of a
new line through three given points using Pappus’ Axiom. In the latter case it
was never necessary to specify the two lines with each three points and the three
pairs of lines whose respective intersections are collinear by the new line to be
constructed. Neither was it necessary to give the details of the proof that the
application of Pappus’ Axiom was justified. All files can be found on [3].
5.1
Hessenberg’s incomplete argument
In this section we reproduce the argument which Hessenberg took for a complete
proof. In fact this argument only proves the existence of a perspectivity line under
some additional, non-trivial assumptions.
Lemma 1. Let D be a Desargues configuration. Then there exists a perspectivity
line joining P1 , P2 , P3 , or A1 | (B2 B3 ), or B3 | (A1 A2 ).
5
The notation (P, Q, R) corresponds to P | (QR) and ‘non’ stands for negation.
Proof. Consider Figure 2 on page 6, and define four further points:
Q ≡ ((A1 A2 )(B3 B2 )) E ≡ ((A1 A3 )(SQ))
X ≡ ((A1 B3 )(SA2 )) F ≡ ((B1 B3 )(SQ))
Then, the points Pi are shown to be collinear by three applications of Axiom 4,
as shown in Figures 6–8.
All files concerning this lemma can be found on [3, cro case1.*].
S
0
1
S A3 B 3
@ A1 Q A 2 A
P1 X E
E
X
A1
B3
Q
A3
A2
P1
Fig. 6. Proof of Lem. 1: first application of Ax. 4.
S
0
1
S A1 B1
@ B3 B2 Q A
P3 F X
X
A1
F
B1
B3
P3
Q
B2
Fig. 7. Proof of Lem. 1: second application of Ax. 4.
S
1
A1 B3 X
@ F
E Q A
P1 P2 P3
0
E
X
A1
F
B3
P2
P3
Q
P1
Fig. 8. Proof of Lem. 1: third application of Ax. 4.
The gap in Hessenberg’s original proof was that Q = F = B3 if B3 | (A1 A2 )
and Q = E = A1 if A1 | (B2 B3 ). Then in particular the third application of
Pappus’ Axiom, see Figure 8, cannot be justified. Therefore the disjuncts A1 |
(B2 B3 ) and B3 | (A1 A2 ) have been added to the conclusion of Lemma 1.
Corollary 1. Let D be a Desargues configuration. Then there exists a perspectivity line joining P1 , P2 , P3 or, for any permutation (i, j, k) of (1, 2, 3),
Ai | (Bj Bk ) or Bk | (Ai Aj ).
5.2
Reducing 8 gaps to 2
There is some redundancy in [5, p. 219 (2)] that we wish to avoid in our
formalization. Let us first reformulate the premiss of (2) “there does not exist a permutation (i, j, k) of the numbers (1, 2, 3) such that non(Ai , Bj , Bk )
and non(Bk , Ai , Aj ) simultaneously” in a more positive way: for all permutations (i, j, k) one has Ai | (Bj Bk ) or Bk | (Ai Aj ). The conclusion of (2) “either
(Ax , By , Bz ) for all permutations (x, y, z) or (Bx , Ay , Az ) for all permutations
(x, y, z)” may be paraphrased as: one triangle circumscribes the other. This case
is treated in Subsection 5.3.
There are six permutations of the numbers (1, 2, 3). The even permutations
correspond to rotations, the odd ones combine rotation with mirroring. In the
premiss of (2) an odd permutation boils down to rotating and interchanging
the two triangles. For example, the rotation (3, 1, 2) yields the disjunction A3 |
(B1 B2 ) ∨ B2 | (A3 A1 ). If we interchange the two triangles we get B3 | (A1 A2 ) ∨
A2 | (B3 B1 ), which by commutativity corresponds with (2, 1, 3), indeed an odd
permutation. Since the conclusion of (2) is invariant under interchanging the two
triangles, it can already be expected that one needs only permutations of one
particular sign. This is indeed the case and we prefer to restrict the premiss to the
even permutations, that is, to the rotations. Under the premisses of Desargues’
Axiom, which are invariant under interchanging the two triangles, the system
can automatically prove Lemma 2. As observed by Cronheim, this lemma is
independent of Pappus’ Axiom.
Lemma 2. If Ai | (Bj Bk ) ∨ Bk | (Ai Aj ) for all rotations (i, j, k) of (1, 2, 3),
then there exists a perspectivity line, or triangle A1 A2 A3 circumscribes triangle
B1 B2 B3 , that is, Ai | (Bj Bk ) for all rotations (i, j, k) of (1, 2, 3), or vice versa.
Adding the disjunct ‘there exists a perspectivity line’ to the conclusion of the
lemma above made it possible to prove Hessenberg’s Theorem with weaker side
conditions than Cronheim. All files concerning this lemma can be found on [3,
cro 8 2.*].
5.3
The special case: one triangle circumscribes the other
An example configuration where triangle B1 B2 B3 circumscribes A1 A2 A3 is depicted in Figure 9.
P3
P2
B1
A2
A3
S
B3
A1
B2
P1
Fig. 9. B1 B2 B3 circumscribes A1 A2 A3 .
Lemma 3. For any Desargues configuration D where triangle B1 B2 B3 circumscribes triangle A1 A2 A3 , there exists a perspectivity line joining the Pi = ((Aj Ak )(Bj Bk )).
Proof. Consider Figure 9, and define the following points:
Q1 ≡ ((B3 P3 )(SA1 ))
Q2 ≡ ((B3 P3 )(SA2 ))
Then, collinearity of the Pi follows from three applications of Pappus (Axiom 4),
as shown in Figures 10–12, respectively.
All files concerning this lemma can be found on [3, cro case2.*].
Q1
0
1
S A3 B3
@ P3 A2 A1 A
P2 Q1 B2
0
1
S A3 B3
@ P3 A1 A2 A
P1 Q 2 B 1
P3
Q2
B1
P3
A2
P2
A2
A3
S
B3
A3
A1
P1
S
B3
A1
B2
Fig. 11. Proof of Lem. 3: second application of
Ax. 4.
Fig. 10. Proof of Lem. 3: first
application of Ax. 4.
5.4
Assembling the parts
We exhibit our formal proof of Hessenberg’s Theorem (11), consisting of three
applications of Lemma 1, one of Lemma 2 and two of Lemma 3. The corresponding Coq file can be retrieved from [3, ht.v].
Consider a configuration D. The goal, say ψ, is to prove the existence of a
perspectivity line joining the points Pi :
ψ ≡ ∃l. (P1 | l ∧ P2 | l ∧ P3 | l)
Applying Lemma 1 to a configuration D(x, y, z), we get that either ψ, and then
we are done, or Ax | (By Bz ) ∨ Bz | (Ax Ay ). Thus, by application of Lemma 1 to
each of the rotations of (1, 2, 3), we have asserted three disjunctions:
A1 | (B2 B3 ) ∨ B3 | (A1 A2 ),
A2 | (B3 B1 ) ∨ B1 | (A2 A3 ),
A3 | (B1 B2 ) ∨ B2 | (A3 A1 ).
Given these new facts, we are ready to apply Lemma 2, by which we get two
symmetrical cases, either B1 B2 B3 circumscribes A1 A2 A3 , or vice versa. Both
cases are solved by application of Lemma 3; for the second case the rôles of A
and B in Lemma 3 have to be interchanged.
References
1. M. Bezem and T. Coquand. Newman’s Lemma – a Case Study in Proof Automation
and Geometric Logic. In G. Păun, G. Rozenberg, and A. Salomaa, editors, Current
Q1
0
1
Q 1 A1 B 1
@ A2 Q 2 B 2 A
P1 P2 P3
P3
P2
Q2
B1
A2
A1
B2
P1
Fig. 12. Proof of Lem. 3: third application of Ax. 4.
2.
3.
4.
5.
6.
7.
8.
9.
10.
trends in Theoretical Computer Science, volume 2, pages 267–282. World Scientific,
2004.
M. Bezem and T. Coquand. Automating Coherent Logic. In G. Sutcliffe and
A. Voronkov, editors, Proceedings LPAR-12, number 3825 in Lecture Notes in
Computer Science, pages 246–260, Berlin, 2005. Springer-Verlag.
M. Bezem and D. Hendriks.
CL tool, input files, Coq files.
http://www.cs.vu.nl/~diem/coq/ht/.
H.S.M. Coxeter. The Real Projective Plane. Cambridge University Press, second
edition, 1955.
A. Cronheim. A Proof of Hessenberg’s Theorem. Proceedings of the AMS, 4(2):219–
221, 1953.
G. Hessenberg. Beweis des Desarguesschen Satzes aus dem Pascalschen. Mathematische Annalen, 61:161–172, 1905.
P. Johnstone. Sketches of an Elephant: a topos theory compendium, volume 2.
Oxford University Press, 2002.
R.P. Nederpelt, J.H. Geuvers, and R.C. de Vrijer (editors). Selected Papers on
Automath. North-Holland, 1994.
Th. Skolem. Logisch-kombinatorische Untersuchungen über die Erfüllbar-keit und
Beweisbarkeit mathematischen Sätze nebst einem Theoreme über dichte Mengen,
Skrifter I, 4:1–36, Det Norske Videnskaps-Akademi, 1920. In J.E. Fenstad, editor,
Selected Works in Logic, pages 103–136. Universitetsforlaget, 1970.
The Coq Development Team. The Coq Proof Assistant Reference Manual, version 8.0, 2004. http://coq.inria.fr/.
Appendix
In Figure 13 we have reproduced the example (Beispiel ) from [9, p. 29] in which
Skolem illustrates the proof theoretic techniques developed earlier in his paper
by showing that Desargues’ Axiom is independent of the basic axioms of projective plane geometry. First Skolem formulates Desargues’ Axiom as a coherent
Beispiel: Es sei zu untersuchen, ob der Desarguesche
Satz von den homologen Dreiecken aus den aufgestellten Verknüpfungsaxiomen folge oder nicht. Dieser Satz
ist ja ein deskriptiver. Er sagt in der kombinatorischen
Sprache folgendes: Wenn die Paare
(3)
(A1 b1 )(A1 c1 )(B1 a1 )(B1 c1 )(C1 a1 )(C1 b1 )
(A2 b2 )(A2 c2 )(B2 a2 )(B2 c2 )(C2 a2 )(C2 b2 )
(A1 d)(A2 d)(P d)(B1 e)(B2 e)(P e)(C1 f )(C2 f )(P f )
(Da1 )(Da2 )(Dp)(Eb1 )(Eb2 )(Ep)(F c1 )(F c2 )
vorkommen, dann soll auch mindenstens eines der
Paare
(4) (F p)(a1 a2 )(b1 b2 )(c1 c2 )
vorhanden sein.
Fig. 13. Fragment from Skolem [9, p. 29].
formula. Instead of using an existential quantifier to express the collinearity of
D, E and F he states that any line p joining D and E contains F . Since there
is always such a line p, these two formulations are equivalent. More interesting
are Skolem’s side conditions which appear positively in his disjunctive conclusion (F p)(a1 a2 )(b1 b2 )(c1 c2 ). These side conditions have the same function as the
side conditions in Pappus’ Axiom, namely to cover the cases in which intersections would become indeterminate. It turns out that Skolem’s side conditions are
too weak and that therefore his formulation of Desargues’ Axiom is too strong.
It allows us in fact to prove that any three points are collinear, thus trivializing the projective plane. As this proof is small, it provides a good example to
demonstrate our machinery in full detail. By the way, Skolem’s proof theoretic
argument applies equally well to a correct formulation of Desargues’ Axiom, for
example, with a disjunctive conclusion
(F p)(a1 a2 )(b1 b2 )(c1 c2 )(A1 B1 )(B1 C1 )(A1 C1 )(A2 B2 )(B2 C2 )(A2 C2 )
We would like to stress that we chose this example as a historical anecdote which
serves our explanatory purposes well, and that we do not in any way intend to
question the value of Skolem’s contribution.
The automated reasoning tool [3, GL.pl] has been implemented in the programming language Prolog. In the input file below, most of the clauses have
the form <tag> axiom <term> : (<formula>). We explain each of the constituents:
<tag>, if different from ‘ ’, controls the use of the axiom. This is used only for
one axiom, tagged abc(P,Q). In combination with the enabled and the next
predicates in the last two clauses of the input this limits the construction of
new lines to lines through different points a, b, c.
<term> gives a name to the axiom including all universally quantified variables.
This is used to keep track of which instances of which axioms have been used.
<formula> states the coherent formula in question. Here Prolog syntax is used,
that is, variables start with a capital, ‘,’ stands for conjunction, ‘=>’ for
implication, ‘;’ for disjunction. Finally, dom on the right of ‘=>’ in the axioms
for projective lines and points stands for existential quantification. If Axiom
3.6 is used, variable L is substituted by a fresh object (name), which is
subsequently added to the domain. This is the common way of using an
existential statement.
We trust that the comments after the symbol ‘%’ now sufficiently explain the
input file.
name(’DbyS’).
% Desargues’ Axiom by Skolem
:- dynamic p/1,l/1,i/2,e/2.
% unary predicates: p for point, l for line
% binary predicates: i for incidence, e for equality
dom(a). dom(b). dom(c).
% three constants a,b,c in the domain
_ axiom points: (true => p(a),p(b),p(c)).
% a,b,c are points
% goal is proved if a,b,c are collinear
_ axiom goal_proved(L): (i(a,L),i(b,L),i(c,L) => goal).
_ axiom sortp(P,L) : (i(P,L) => p(P)). % incidence pairs have points left
_ axiom sortl(P,L) : (i(P,L) => l(L)). % and lines right
%
_
_
_
_
equality axioms
axiom p_ref(X)
axiom l_ref(X)
axiom sym(X,Y)
axiom tra(X,Y,Z)
%
%
_
%
_
congruence axioms
equal points lie on the same lines
axiom conp(P,Q,L) : (e(P,Q),i(Q,L) => i(P,L)).
equal lines have the same points
axiom conl(P,L,M) : (i(P,L),e(L,M) => i(P,M)).
:
:
:
:
(p(X) => e(X,X)).
(l(X) => e(X,X)).
(e(X,Y) => e(Y,X)).
(e(X,Y),e(Y,Z) => e(X,Z)).
%
%
%
%
reflexivity for points
reflexivity for lines
symmetry
transitivity
% projective geometry (Axioms 3.6-3.8)
abc(P,Q) axiom line(P,Q) : (p(P),p(Q) => dom(L),i(P,L),i(Q,L)).
_ axiom point(L,M) : (l(L),l(M) => dom(P),i(P,L),i(P,M)).
_ axiom unique(P,Q,L,M) : (i(P,L),i(P,M),i(Q,L),i(Q,M) => e(P,Q);e(L,M)).
%
%
%
_
Desargues by Skolem
capital letters L prefix Skolem’s names for lines in order to comply
with Prolog’s convention on variables
axiom wrong(A1,B1,C1,A2,B2,C2,La1,Lb1,Lc1,La2,Lb2,Lc2,
P,Ld,Le,Lf,D,E,F,Lp):
(
i(A1,Lb1),i(A1,Lc1),i(B1,La1),i(B1,Lc1),i(C1,La1),i(C1,Lb1),
% A1B1C1
i(A2,Lb2),i(A2,Lc2),i(B2,La2),i(B2,Lc2),i(C2,La2),i(C2,Lb2),
% A2B2C2
i(A1,Ld),i(A2,Ld),i(P,Ld), % \
i(B1,Le),i(B2,Le),i(P,Le), % - P is point of perspectivity
i(C1,Lf),i(C2,Lf),i(P,Lf), % /
% line Lp is the candidate perspectivity line through D and E
i(D,La1),i(D,La2),i(D,Lp),i(E,Lb1),i(E,Lb2),i(E,Lp),i(F,Lc1),i(F,Lc2)
=>
% on which F should lie as well, or a pair of corresp. edges coincides
i(F,Lp);e(La1,La2);e(Lb1,Lb2);e(Lc1,Lc2)
).
enabled(abc(P,Q),[]) :- member(P,[a,b,c]),member(Q,[a,b,c]),P \= Q.
next(abc(P,Q),[],[]).
Next we list the output file, which is self-explaining to a large degree. The only
difficult point is the application of Skolem’s formulation of Desargues’ Axiom,
which we will explain at the end.
By axiom points using true we have:
p(a) /\ p(b) /\ p(c)
By axiom p_ref(a) using p(a) we have:
e(a,a)
By axiom p_ref(b) using p(b) we have:
e(b,b)
By axiom p_ref(c) using p(c) we have:
e(c,c)
By axiom line(a,b) using p(a) /\ p(b) we have:
i(a,w0) /\ i(b,w0)
By axiom sortl(a,w0) using i(a,w0) we have:
l(w0)
By axiom l_ref(w0) using l(w0) we have:
e(w0,w0)
By axiom line(a,c) using p(a) /\ p(c) we have:
i(a,w1) /\ i(c,w1)
By axiom sortl(a,w1) using i(a,w1) we have:
l(w1)
By axiom l_ref(w1) using l(w1) we have:
e(w1,w1)
By axiom line(b,c) using p(b) /\ p(c) we have:
i(b,w2) /\ i(c,w2)
By axiom sortl(b,w2) using i(b,w2) we have:
l(w2)
By axiom l_ref(w2) using l(w2) we have:
e(w2,w2)
By axiom wrong(a,a,a,c,c,a,w0,w0,w0,w1,w1,w2,a,w1,w1,w0,a,a,b,w1)
using
i(a,w0) /\ i(a,w0) /\ i(a,w0) /\ i(a,w0) /\ i(a,w0) /\ i(a,w0) /\
i(c,w1) /\ i(c,w2) /\ i(c,w1) /\ i(c,w2) /\ i(a,w1) /\ i(a,w1) /\
i(a,w1) /\ i(c,w1) /\ i(a,w1) /\ i(a,w1) /\ i(c,w1) /\ i(a,w1) /\
i(a,w0) /\ i(a,w0) /\ i(a,w0) /\ i(a,w0) /\ i(a,w1) /\ i(a,w1) /\
i(a,w0) /\ i(a,w1) /\ i(a,w1) /\ i(b,w0) /\ i(b,w2)
we have:
i(b,w1) \/ e(w0,w1) \/ e(w0,w1) \/ e(w0,w2)
stack pushed, stack: i(b,w1) \/ e(w0,w1) \/ e(w0,w1) \/ e(w0,w2) :: nil
stack top tailed: i(b,w1)
By axiom goal_proved(w1) using i(a,w1) /\ i(b,w1) /\ i(c,w1) we have:
goal
valid, stack: e(w0,w1) \/ e(w0,w1) \/ e(w0,w2) :: nil
stack top tailed: e(w0,w1)
By axiom sym(w0,w1) using e(w0,w1) we have:
e(w1,w0)
By axiom conl(b,w0,w1) using i(b,w0) /\ e(w0,w1) we have:
i(b,w1)
By axiom goal_proved(w1) using i(a,w1) /\ i(b,w1) /\ i(c,w1) we have:
goal
valid, stack: e(w0,w1) \/ e(w0,w2) :: nil
stack top tailed: e(w0,w1)
By axiom sym(w0,w1) using e(w0,w1) we have:
e(w1,w0)
By axiom conl(b,w0,w1) using i(b,w0) /\ e(w0,w1) we have:
i(b,w1)
By axiom goal_proved(w1) using i(a,w1) /\ i(b,w1) /\ i(c,w1) we have:
goal
valid, stack: e(w0,w2) :: nil
stack popped: e(w0,w2)
By axiom sym(w0,w2) using e(w0,w2) we have:
e(w2,w0)
By axiom conl(a,w0,w2) using i(a,w0) /\ e(w0,w2) we have:
i(a,w2)
By axiom goal_proved(w2) using i(a,w2) /\ i(b,w2) /\ i(c,w2) we have:
goal
valid, stack: nil
Yes
By matching the wrong-terms in input and output:
wrong(A1,B1,C1,A2,B2,C2,La1,Lb1,Lc1,La2,Lb2,Lc2,P, Ld, Le, Lf,D,E,F,Lp)
wrong( a, a, a, c, c, a, w0, w0, w0, w1, w1, w2,a, w1, w1, w0,a,a,b,w1)
we find that Desargues’ Axiom in Skolem’s formulation is applied by the machine
in the following completely degenerated case. The first triangle is the point a,
the second triangle consists of the points c, a, with a as point of perspectivity.
The edges of the first triangle all coincide with the line w0 joining a, b. The
edges of the second triangle are w1 joining a, c (a2 , b2 ) and w2 joining b, c (c2 ).
Note that these edges are in accordance with the degeneration of the second
triangle. With this particular choice of edges, corresponding edges meet in a, a,
b, respectively. Any line through a connects D and E, so in particular w1 does
this. The conclusion that F which is equal to b lies on w1 leads to the collinearity
of a, b, c, and so does each of the other disjuncts in the conclusion
i(b,w1) \/ e(w0,w1) \/ e(w0,w1) \/ e(w0,w2)